On Sun, Sep 19, 2004 at 12:29:42PM -0700, Dave Crocker wrote:
Mark,
On Sun, 19 Sep 2004 10:57:50 -0700, Mark C. Langston wrote:
But with SPF, the trust you're being asked to place is not whether the
sender is authorized to use that MAIL FROM:; it's whether the entity
connecting to your MTA (the destination MTA, presumably) is one
associated with the MAIL FROM: RHS. It's a somewhat subtle, but
important, distinction.
I think that summarizing SPF as asking "whether the sender is authorized to
use
that MAIL FROM:"
Rather than simply giving a different summary that is valid, could you please
explain what is wrong with the semantics of this one?
Yes. Sorry for not being clear the first time. It's a problem for the
reason pointed out by the poster to whom I was responding: it says
nothing about the policies of the entity connecting to the MTA doing the
SPF check. There's no way to know whether the original sender was, in
fact, a legitimate claimant to that MAIL FROM:. The connecting MTA
could be an open relay, allowing anyone to claim that MAIL FROM: and
pass it through that MTA to the destination. If the SPF record checks
out, the best you can say is that the connecting MTA is legitimately
associated with that domain name.
--
Mark C. Langston GOSSiP Project Sr. Unix SysAdmin
mark(_at_)bitshift(_dot_)org http://sufficiently-advanced.net
mark(_at_)seti(_dot_)org
Systems & Network Admin Distributed SETI Institute
http://bitshift.org E-mail Reputation http://www.seti.org